Google in New Privacy Probes

The U.S. and European Union are investigating Google for its practice of bypassing the privacy settings of millions of users of Apple's Safari Web browser, Julia Angwin reports on the News Hub. Photo: AFP/ Getty Images.

By

Julia Angwin

Updated March 16, 2012 10:04 a.m. ET

Regulators in the U.S. and European Union are investigating Google Inc. for bypassing the privacy settings of millions of users of Apple Inc.AAPL-0.87%'s Safari Web browser, according to people familiar with the investigations. Google stopped the practice last month after being contacted by The Wall Street Journal.

Tracking Leaves a Trail

For several months, Google used special code to place a tracking tool called a cookie on the computers and gadgets of people who used Apple's Safari Web browser, despite the fact that Safari usually blocks such tracking. Here's how it worked.

For several months, Google used special code to place a tracking tool called a cookie on the computers and gadgets of people who used Apple's Safari Web browser, despite the fact that Safari usually blocks such tracking. Here's how it worked.

The investigations—which span U.S. federal and state agencies, as well as a pan-European effort led by France—could embroil Google in years of legal battles and result in hefty fines for privacy violations. The Journal in February reported that Google was using special computer code to install tiny tracking files, or "cookies," on some people's computers, iPhones and iPads, even if the devices were set to block this kind of tracking.

"We will of course cooperate with any officials who have questions," a Google spokeswoman said. "But it's important to remember that we didn't anticipate this would happen, and we have been removing these advertising cookies from Safari browsers."

In the U.S., the Federal Trade Commission is examining whether Google's actions violated last year's legal settlement with the government in which Google pledged not to "misrepresent" its privacy practices to consumers, according to people familiar with the investigation.

The fine for violating the agreement is $16,000 per violation, per day. Because millions of people were affected, any fine could add up quickly, depending on how it is calculated. The FTC declined to comment.

A group of state attorneys general, including New York's Eric Schneiderman and Connecticut's George Jepsen, are also investigating Google's circumvention of Safari's privacy settings, according to people familiar with the investigation. State attorneys general can have the ability to levy fines of up to $5,000 per violation.

More

In Europe, the French Commission Nationale de l'Informatique et des Libertés, or CNIL, has added the Safari circumvention technique to its existing pan-European investigation into Google's privacy-policy changes, according to a person close to the investigation. The CNIL is the agency that levied a €100,000 ($130,960) fine on Google last year for collecting passwords and other personal information when Google vehicles were gathering information for its Street View map service.

CNIL didn't respond to a request for comment. At the time, Google apologized for its mistake and said it would delete the data it collected.

Google makes most of its money selling online ads. Like many ad companies, it uses cookies to track information about a person's online activities in order to serve targeted ads.

Advertisers will pay a premium for highly targeted ads, and Google is in a heated battle with social-networking rival Facebook Inc. for these ad dollars.

The investigations in the U.S. and Europe suggest the toll that the rivalry has taken on Google as it tries to build more social-networking tools into its own products to compete with Facebook.

Google previously acknowledged it began circumventing Safari's privacy settings last year in order to embed a social-networking feature—what it calls a "+1" button—in some ads. Roughly akin to a Facebook "like" button, it would let people tell friends that they found an ad useful. Google said the subsequent tracking of Safari users was inadvertent.

This week, a former Google executive, James Whittaker, released a public letter stating that he left the company because he felt it was trying too hard to push its rival social-networking service, Google+, into all corners of the organization.

Mr. Whittaker wrote that Google+ had become "an ominous name invoking the feeling that Google alone wasn't enough."

ENLARGE

Regulators in the U.S. and European Union are investigating Google for bypassing the privacy settings of millions of users of Apple's Safari Web browser.
Getty Images

Last year, the FTC charged Google with deceptive practices related to its rollout of another social-networking service, Buzz. The commission alleged, among other things, that users who agreed to join Buzz weren't adequately informed that the identity of the people they emailed most frequently would be visible to others by default.

To settle the civil case, Google agreed to a number of measures, including putting in place a "comprehensive privacy program" that conducts privacy-risk assessments of Google's products and services and is audited by a third party every other year.

Google didn't admit wrongdoing in the settlement. Buzz was eventually killed.

Now the commission is investigating whether Google has violated that agreement, which included a pledge not to misrepresent its privacy practices. "It's a pretty clear case of deception," said Justin Brookman, director of consumer privacy project at the Center for Democracy and Technology, an Internet advocacy nonprofit that gets some of its funding from Google.

Mr. Brookman said the FTC may have a hard time obtaining penalties from Google for violating its settlement agreement, because the law requires proof that Google acted intentionally. Google has argued that the consumer tracking that resulted from its actions was inadvertent.

Apple's Safari Web browser is the most widely used browser on mobile devices. It is designed to block by default the kind of tracking files Google was installing.

One person close to the situation said the FTC has been seeking information about how many users were affected by the privacy breach. That would imply that the agency is attempting to calculate the size of a possible fine, according to a person familiar with the situation.

This copy is for your personal, non-commercial use only. Distribution and use of this material are governed by our Subscriber Agreement and by copyright law. For non-personal use or to order multiple copies, please contact Dow Jones Reprints at 1-800-843-0008 or visit www.djreprints.com.